Posted
by
timothy
on Thursday May 17, 2012 @09:25AM
from the peek-a-boo dept.

An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."

Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.

Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.

Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."

CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.

As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.

I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.

Security is moving towards being more of an IT field now, but I wouldn't advise that the/. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.

I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.

I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.

Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.

Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.

I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.

Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?

I do this for a living, and have been screaming about this to anyone who would listen ever since I got into the physical security field six years ago. I've convinced my company that ALL default passwords on ALL security devices have to be changed if at all possible (on some, like Trango wireless relays, they cant be changed). We are the only company in the Pacific Northwest that does this consistently. I know this for a fact, since I often have to work on systems installed by our competitors.

This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.

Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.

First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.